10gen offers a subscriber build of MongoDB which includes support for SSL communication between nodes in a replicaset and between client and mongod. If the cost of a service subscription is prohibitive, it is possible to build it with SSL enabled.
After download, I followed the process below to get it running. For a permanent solution, more attention should be given to where these are installed and how upgrades are handled.
$ tar xzvf mongodb-linux-x86_64-subscription-rhel62-2.2.3.tgz $ cp mongodb-linux-x86_64-subscription-rhel62-2.2.3/bin/* /usr/local/bin/
Next, it’s necessary to provide an SSL certificate. For testing, it’s easy to create an SSL certificate.
$ cd /etc/ssl $ openssl req -new -x509 -days 365 -nodes -out mongodb-cert.pem -keyout mongodb-cert.key -passout pass:mypass Generating a 2048 bit RSA private key ........................+++ .....................................+++ writing new private key to 'mongodb-cert.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) :Idaho Locality Name (eg, city) [Default City]:Boise Organization Name (eg, company) [Default Company Ltd]:ACME Organizational Unit Name (eg, section) :IT Common Name (eg, your name or your server's hostname) :host0123 Email Address :firstname.lastname@example.org
With the certificate created, make a combined pem file as follows
$ cat mongodb-cert.key mongodb-cert.pem > mongodb.pem $ ll total 12 lrwxrwxrwx 1 root root 16 May 10 2012 certs -> ../pki/tls/certs -rw-r--r-- 1 root sys 1704 Feb 14 19:21 mongodb-cert.key -rw-r--r-- 1 root sys 1395 Feb 14 19:21 mongodb-cert.pem -rw-r--r-- 1 root sys 3099 Feb 14 19:21 mongodb.pem
Finally, you can start mongodb as follows
$ mongod -dbpath /opt/webhost/local/mongod -logpath /var/log/mongo/mongod.log -keyFile /home/mongod/mongokey --sslOnNormalPorts --sslPEMKeyFile /etc/ssl/mongodb.pem --sslPEMKeyPassword mypass --replSet wildcatset --rest --logappend &
Accessing over SSL
SSL certificate management can be complicated. It is possible to bypass certificate validation when using a self issued certificate. Python does this by default. Java may require additional work to bypass certificate validation.